1 | initial version |
Does Wireshark capture the equivalent of TSecr
If you're referring to the Timestamp Echo Reply field in the TCP Timestamps Option, in Wireshark, the equivalent of the Timestamp Echo Reply field in the TCP Timestamps Option is the Timestamp Echo Reply field in the TCP Timestamps Option.
That field should be displayed in any TCP segment containing that option, assuming the capture wasn't cut short by a "snapshot length" before that field.
What field names would these variables correspond to in tshark output,
The field for the Timestamp Echo Reply field in the TCP Timestamps Option is tcp.options.timestamp.tsecr
.
The "actual time" for a given field, to the extent that packet time stamps are reliably indicated by the packet capture mechanism, is the frame.time
field, which is the absolute time (and date) when the frame arrived on the machine that captured it. ("Reliably indicated" above means that there may be a delay between the time when the frame arrives at the network adapter and the time when the OS time stamps it, so you probably shouldn't count on nanosecond precision, for example.)
Note, however, that the "timestamp clock" used in the TS Value (TSval) and TS Echo Reply (TSecr) in the Timestamps Option is "simply a monotonically non-decreasing serial number, without any connection to time", so there is NO guarantee that you can subtract its value from any other clock, including the clock used to time stamp a packet. Please read RFC 7323 "TCP Extensions for High Performance" carefully before using the TSval or TSecr values.
assuming a
.pcap
input file?
The file format is irrelevant, except perhaps for the frame.time
field, the resolution of which may depend on the file format.